AI Threat Alert AI Threat Alert

CVE-2025-65805: OAI CN5G AMF: Unauthenticated buffer overflow, RCE/DoS

HIGH
Published January 7, 2026
CISO Take

OpenAirInterface CN5G AMF (<=v2.1.9) contains a stack-based buffer overflow (CWE-121) triggered by sending an IMSI string exceeding 1000 characters to the N1 interface — no authentication, no user interaction, network-accessible. This matters to AI security teams because 5G core infrastructure underpins edge AI deployments, autonomous systems, and IoT sensor networks that feed AI pipelines; a compromised AMF can sever connectivity for entire 5G network slices. With 13,670 downstream dependents and an OpenSSF score of only 6.3/10, the blast radius extends well beyond direct adopters. No public exploit or CISA KEV entry exists today, but the trivial attack complexity (just craft an oversized IMSI and hit port N1) means weaponization is low-effort. Upgrade to a version beyond v2.1.9 immediately; if patching is blocked, restrict N1 interface access to trusted UE management networks via firewall rules and monitor for anomalous NAS message lengths.

Sources: NVD ATLAS OpenSSF

Risk Assessment

High risk for organizations running OpenAirInterface-based 5G core deployments, particularly private 5G networks supporting AI edge inference, industrial IoT, or autonomous systems. CVSS 7.5 reflects the unauthenticated, network-accessible, zero-user-interaction nature of the flaw. No EPSS data available, but attack complexity is low — a single malformed NAS registration request is sufficient. The DoS path is certain; RCE likelihood depends on memory layout, ASLR/stack canary controls, and runtime hardening of the specific build. The absence of a patch version in the advisory increases residual risk.

Affected Systems

Package Ecosystem Vulnerable Range Patched
oai-cn5g-amf pip No patch
30.4K OpenSSF 6.3 13.7K dependents Pushed 3d ago 0% patched Full package profile →

Do you use oai-cn5g-amf? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Patch: Upgrade OAI CN5G AMF beyond v2.1.9 as soon as a fixed release is available — monitor the upstream repository (last push: 2026-04-04).
  2. Network segmentation: Restrict access to the N1 interface (UE-to-AMF) to known, trusted network segments; block external/untrusted sources at the firewall perimeter.
  3. Input validation workaround: If running a custom build, apply an input-length guard on IMSI parsing in NAS message handlers prior to buffer write operations.
  4. Detection: Alert on NAS Registration Request messages containing IMSI fields >64 bytes (valid IMSIs are 15 digits); correlate with AMF process crashes or restarts.
  5. Runtime hardening: Confirm the deployed binary is compiled with stack canaries (-fstack-protector-strong), ASLR enabled, and NX/DEP to constrain RCE exploitability.
  6. Inventory: Audit all private 5G deployments — OAI is common in academic, research, and industrial IoT environments that may also run AI workloads.

Classification

DoS Code Execution Inference API AML.T0006 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System
ISO 42001
A.6.2.5 - AI System Security A.9.3 - Information security for AI systems
NIST AI RMF
MANAGE-2.2 - Mechanisms exist to sustain and manage AI risk
OWASP LLM Top 10
LLM10:2025 - Unbounded Consumption

Technical Details

NVD Description

OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF.

Exploitation Scenario

An adversary targeting an organization's private 5G network (e.g., a smart factory using edge AI for quality control) scans for open N1 interface ports on the AMF host. They send a crafted NAS Registration Request with an IMSI value of 1001+ characters. The oversized string overflows the stack buffer in the AMF's NAS message parser, crashing the AMF process and immediately disconnecting all AI-enabled edge devices on the 5G slice — halting real-time inference, disrupting production lines, and creating a window for physical or logical follow-on attacks. A more sophisticated actor uses the same primitive to attempt RCE: by controlling the overflow payload to overwrite the return address (if stack protections are absent or bypassable), they execute shellcode in the context of the AMF process, gaining a foothold on the 5G core host and access to internal network segments hosting AI model serving infrastructure.

Weaknesses (CWE)

CWE-121

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 7, 2026
Last Modified
January 29, 2026
First Seen
January 7, 2026

Related Vulnerabilities

CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same package: openai
CRITICAL CVE-2023-3686 9.8

QuickAI: unauthenticated SQLi exposes OpenAI API keys

Same package: openai
HIGH CVE-2025-66786 7.5

OAI CN5G AMF: unauthenticated JSON DoS on 5G SBI interface

Same package: openai
MEDIUM CVE-2025-26265 6.5

openairinterface5g: segfault enables DoS via crafted UE message

Same package: openai
MEDIUM CVE-2025-7021 6.5

OpenAI Operator: fullscreen spoofing captures credentials

Same package: openai
Back to Threat Feed